Features

Active Directory Role-Based Security

Successful Active Directory management requires distribution of administrative responsibilities
among multiple users (like Help Desk operators or department managers) according
to their operational and administrative role in the organization. Delegation of
administration rights makes Active Directory management much easier
and more efficient, but may pose a number of security risks if not implemented properly.
The native means for Active Directory delegation introduce a number of challenges
and are often ineffective due to the following reasons:

The process involves modification and maintenance of multiple Access Control Lists (ACLs)
accross many objects in Active Directory, which is very error-prone and often
results in users either not having access they need or having elevated administrative
privileges they don't need.

There is no central place to store and manage permissions, and, as a result, it
is rather challenging to control who has what privileges and why.

Permissions can be applied either at the domain or OU levels only. This significantly
complicates the delegation process, because the Active Directory OU structure is
often designed for effective application of Group Policy Objects, rather than for
delegation of security rights.

Adaxes addresses all challenges listed above by providing an Active Directory role-based access control. The role-based approach gives you a very high and granular level of control over the permissions you grant to administrators and end-users within Active Directory. The role-based security model enables you to assign permissions to users based on the job roles they hold within your organization and eliminates the need to manually modify ACLs across Active Directory. As delegation of rights using Adaxes doesn't affect the native Active Directory permissions, you can significantly reduce the number of users with administrative access to the security-sensitive resources in AD.

Role-Based Access Control for Active Directory

Every time you want to assign or revoke privileges, you need to grant or withdraw
a set of permissions necessary to perform a certain job function. To simplify the
process, Adaxes allows you to consolidate permissions into Security Roles and then
assign these roles to users in accordance with their role in the organization. For
example, you can define a security role called Help Desk and associate with that
role a set of administrative tasks typically performed by Help Desk operators (such
as resetting passwords, unlocking user accounts, managing group memberships, etc.).
To grant rights for performing Help Desk duties, you simply need to assign this
role to users and define where in AD these users will be able to execute this role.

To grant or revoke access rights to all users performing the same job function,
you just need to modify the permissions of the security role associated with that
job function. Centrally, easily, and reliably.

Since Adaxes includes built-in security roles for typical responsibilities out of
the box, you don't need to undertake an extensive process of defining your own security
roles. If necessary, you can modify the built-in roles to meet your own needs or
inherit your security roles from already existing ones.

Role-Based Permission Assignments

In assigning an administrative role to users, you are essentially saying that these
users will have the privileges granted by this role within the specified scope of
influence. The scope of influence determines where in Active Directory the users
of the role can perform the delegated activities. For example, suppose you need
to allow your Help Desk team to perform account management tasks on the members
of the Manufacturing department. To do this, you need to assign the Help Desk security
role to an AD group associated with the Help Desk team over the user accounts located
under the 'Manufacturing' OU.

However, what if the members of the Manufacturing department are spread across different
OUs, domains, or forests? Or what if members of the Manufacturing department are
located in one and the same OU with members of other department? The native Active
Directory delegation model cannot address these questions as it only allows you
to delegate permissions with a scope limited to either entire AD domain or a specific
organizational unit. The role-based delegation model implemented in Adaxes gives
you much more flexibility by enabling a more granular and accurate assignment of
rights by allowing you to delegate permissions over:

all objects located in one or several AD domains or forests,

objects located under an OU (all descendants or only immediate children),

members of AD groups (direct or indirect),

specific AD objects,

members of Business Units (virtual OUs).

Delegating permissions over Business Units is rather beneficial as Business Units
can include AD objects that reside in different OUs, domains, and even forests.
The membership of a Business Unit is defined by flexible membership rules that allow
including AD objects that correspond to certain search criteria, members of AD groups,
objects located under an OU or container, etc. Getting back to the example above,
in order to delegate rights to a group of users over all members of the Manufacturing
department, you can create a Business Unit that will include all user accounts whose
Department property is set to 'Manufacturing' and assign the Help Desk role over
this Business Unit. As a result, the Help Desk team will gain control over all accounts of
users whose Department is set to 'Manufacturing'. When a new user account is
created, or when its Department property is changed, it is automatically added or
removed from the Business Unit, and, consequently, the Help Desk team automatically
gains or loses control over this account.

Active Directory role-based access control, provided by Softerra Adaxes allows you to greatly reduce complexity and cost of security administration. By defining administrative security roles, you can delegate permissions on the basis of user job functions, which allows you to focus on business processes and eliminates the need to maintain multiple ACLs across Active Directory. Role-based approach allows you to manage Active Directory permissions from a central location that significantly simplifies the process itself and allows you to efficiently track and monitor access to the Active Directory resources.